20 federal agencies miss deadline for implementing cyber incident tracking requirements, watchdog says

Twenty federal agencies failed to meet the Biden administration’s deadline for implementing the most advanced cyber event logging requirements across their systems, with most agencies failing to implement even basic incident tracking standards, according to a recent report from the Government Accountability Office.

In a Dec. 4 performance audit of 23 federal civilian agencies, GAO found that “many agencies have not met requirements for investigative and remediation (event logging) capabilities.”

President Joe Biden issued a May 2021 cybersecurity executive order that required, in part, agencies “to establish requirements for logging, log retention and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency.”

The Office of Management and Budget subsequently released a memo in August 2021 that established a tiered maturity model to “help agencies prioritize their efforts and resources” in complying with the order’s requirements. The memo required all covered agencies to meet tier 3 compliance — in which “logging requirements at all criticality levels are met” — by August 2023. 

The report found that 17 agencies had failed to advance beyond complying with OMB’s tier 0 standards, in which “logging requirements of highest criticality are either not met or are only partially met.” GAO found that just three agencies — the Small Business Administration, the National Science Foundation and the Department of Agriculture — met OMB’s August deadline for tier 3 compliance.

“Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate and remediate cyber threats will be constrained,” the report said. 

GAO attributed the agencies’ failure to fully prepare for and respond to cyber incidents to a lack of staff, technical challenges with event logging and limitations in cyberthreat information sharing. 

It noted that ongoing initiatives — such as “onsite cyber incident response assistance from [the Cybersecurity and Infrastructure Security Agency], event logging workshops and guidance and enhancements to a cyber threat information sharing platform” — could provide agencies with the support they need to bolster their cybersecurity practices. 

“In addition, there are long-term efforts planned such as implementation of the National Workforce and Education Strategy and a new threat intelligence platform offering from CISA, targeted to roll out its first phase to federal departments and agencies in fiscal year 2024,” the report added. 

GAO’s report made 20 recommendations to 19 agencies, including calling for them to “fully implement event logging requirements.”

The report comes as OMB released a memo with new cybersecurity targets and requirements for agencies to hit ahead of FY2024 FISMA reviews.

While the Department of Defense was not included in GAO’s report because the Pentagon is not governed by the same cyber requirements that apply to other agencies, the department is not immune to problems when it comes to addressing cyber vulnerabilities. 

A special report released by the Pentagon's internal watchdog on Dec. 4 warned that Department of Defense contractors are continuing to face challenges when it comes to safeguarding controlled unclassified information, including failing to enforce multifactor authentication and using weak passwords.